Google's Souped-up Chrome Store Review Process Foiled by Data-Stealer

Malicious yet legitimate-looking Google Chrome browser extensions that steal people's passwords and other sensitive data can still make it into the official app store, despite Google's adoption of a standard aimed at preventing this from happening.

That's the word from researchers at the University of Wisconsin–Madison, who have created a proof-of-concept, data-stealing browser extension that successfully passed the Chrome Web Store review process despite its compliance with Manifest V3, Chrome's latest security and privacy standard, they reported in a research paper posted online.

Google Chrome's adoption of Manifest V3 — which Microsoft Edge and Mozilla Firefox also now support — is a "balancing act" between allowing browser extensions the access they need to run effectively, while protecting users by not giving malicious extensions the same access, Mark Stockley, a cybersecurity evangelist from Malwarebytes Labs, wrote in a blog post published this week.

"The standard tightens up security in a number of ways, most notably by stopping extensions from downloading code from remote websites," he wrote. This, in turn, stops them from changing their functionality once they're installed, allowing Google to understand what an extension does before allowing it to be posted on the Chrome store.

However, Google's adoption of Manifest V3 didn't stop researchers Asmit Nayak, Rishabh Khandelwal, and Kassem Fawaz from University of Wisconsin–Madison from building a browser extension that leveraged techniques from static and dynamic code injection attacks to bypass the Chrome store's review process.

How the Extension Works

Specifically, the researchers uncovered two vulnerabilities in input fields, one of which was "the alarming discovery of passwords in plaintext within the HTML source code of the web page," they wrote in their paper.

The reason that their extension can still successfully steal data from browsers is because despite the adoption of Manifest V3, "the interaction between the extensions and the web pages has not changed," they wrote.

"The extensions can still access entire contents of the web pages, including text input fields where users may enter sensitive information such as passwords, Social Security numbers, and credit-card information," according to the paper.

The researchers disguised their extension as a "GPT-based assistant offering ChatGPT-like functions on websites," which allowed it to plausibly ask for permission to run on all websites, Stockley explained.

The extension — which was removed once it passed the review process — could run three attacks based on vulnerabilities that continue to exist in how websites and browsers interact: a source extraction attack, a value attack, and an element substitution attack.

The first attack allowed the researchers to copy the sensitive values of website input fields from the element’s outer HTML; the second allowed them to select the target input field and read the sensitive values; and the third allowed them to bypass JavaScript-based obfuscation to extract sensitive values.

Extensions Have Too Much Access to Web Functions

The success of the browser attacks hinge on the fact that browser extensions have "full and unfettered access" to the Document Object Model (DOM) of every webpage that someone visits, Stockley explained. The DOM is a representation of a webpage in computer memory that can be accessed and changed, allowing the page to be modified on the fly.

"Full access to a page's DOM gives extensions tremendous power, which includes reading or modifying text input fields, like the ones you type your passwords into," he wrote.

While the success of the researchers' technique depends on the way the page is designed, most of the top 10,000 websites are vulnerable, including the likes of google.com, facebook.com, gmail.com, cloudflare.com, and amazon.com, among others, the researchers claimed.

"Our measurements and case studies reveal that these vulnerabilities are prevalent across various websites, with sensitive user information, such as passwords, exposed in the HTML source code of even high-traffic sites," they wrote.

Moreover, some 12.5% of extensions possess the necessary permissions to exploit these vulnerabilities, they wrote, identifying 190 extensions that directly access password fields.

Protecting Sensitive Browser Data

It's no secret how great a risk malicious browser extensions pose not just to Google Chrome — which has been fighting an uphill battle for years to remove bad plug-ins from its store — but to all browsers. Indeed, recent research found that more than half of all browser extensions currently installed are high risk and had the potential to cause extensive damage to organizations using them.

To counter the threats that their paper uncovered, the researchers shared countermeasures that can be implemented in the form of a "bolt-on" solution that would provide an add-on package to a browser, and a "built-in" solution developed directly in the browser itself.

The former is a proposed JavaScript package that website developers can adopt that allows them to protect sensitive input fields. The latter solution would be an alert at the browser level that lets users known when an extension accesses sensitive input fields, "both when the sensitive input field is selected and when its value is read," the researchers wrote.